Aurora attackers target defense firms, use flurry of zero-days

Security researchers monitoring cybercriminals tied to the 2009 Aurora attacks said the group is
demonstrating strong skills and sophistication, using a flurry of zero-day vulnerabilities in 2011
and at least four zero-day flaws over the last few months.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

These guys are persistent, they're constant and any of these
organizations are potentially vulnerable.

Eric Chien, senior technical director, Symantec Security Response.

The group's primary target appears to be U.S. defense contractors and their partners in the
supply chain, including manufacturers of electronic or mechanical components.

Symantec issued a research paper Friday analyzing the group's apparent increased use of zero-day
flaws and a new targeted attack technique. The group, which relied on spear phishing attacks to
infect employee computers, has also introduced a "watering hole" style attack, targeting website
vulnerabilities in sites often visited by the targeted organization's employees. Similar to a
drive-by
attack, the cybercriminals wait for a victim to visit the compromised website and scan the
victim's computer for vulnerabilities.

"The group seemingly has an unlimited supply of zero-day vulnerabilities," said Symantec, which
calls the attacks the Elderwood Project, based on the
exploit source code used in the attacks. "The vulnerabilities are used as needed, often within
close succession of each other if exposure of the currently used vulnerability is imminent."

Symantec said the group used approximately eight zero-day flaws in 2011. In 2012 the group
appears to be continuing its targeted attacks. Since April, two flash player zero-day flaws were
used in attacks as well as an Internet Explorer zero-day and a zero-day in the Microsoft XML Core
Services. The flaws have since been patched.

Watering hole attack. Image via Symantec.

The Operation
Aurora attacks were uncovered in December 2009. Google and dozens of other companies were victims
of a cyberattack believed to have originated in China. The attackers appear to be interested in
a wide range of targets, including human rights groups. Victims were infected with the Hydraq
Trojan, which was delivered using an Internet Explorer vulnerability. It opened a backdoor on
victim's machines, ultimately letting attackers leapfrog onto the corporate network.

Despite a number of security firms closely monitoring the group's activities, detecting an
attack may be difficult, said Eric Chien, senior technical director for Symantec Security Response.
Chien said the group is constantly changing its malicious binaries and command and control
infrastructure and adding new exploits. The group works in waves, actively attacking their
targets over a three month period, then going dark for several months.

"U.S. organizations are definitely predominant in the statistics, but we definitely are seeing
them all over the world," Chien said. "These guys are persistent, they're constant and any of these
organizations are potentially vulnerable."

Listen to the interview

Eric Chien, senior technical director for Symantec Security Response explains that the group
behind the campaign are using a number of zero-day exploits and a new drive-by attack
technique.

Chien said Symantec researchers detected some Hydraq code used in binaries recovered in 2011 and
2012 attacks. The packer or outer obfuscation later of the malicious code is being reused, enabling
antivirus and other security technologies to be effective in detecting the Trojan, he said.

The use of zero-day flaws displays a high level of skill and funding, Chien said.

"They definitely have an infrastructure where there are people making the tools and operators
essentially using those tools to help conduct their attacks," he said. "We don't see any evidence
that this is a classic cybercrime gang. Clearly they are after intellectual property like design
documents, source code if you are a software company, business intelligence like contracts and
merger and acquisition documents."

Symantec is warning defense sector manufacturers to expect a new round of attacks in 2013. The
group will also target any business partner connected to the manufacturer, including subsidiaries,
business partners and associated companies, Symantec said.

Spear phishing continues to be a common way for the group to carry out attacks, but the watering
hole technique frequency is increasing, Symantec said in its paper, The
Elderwood Project (pdf). The technique was first detected by
RSA researchers in July. Website weaknesses are common and not difficult to detect and exploit,
enabling attackers to inject attack code into an iFrame and wait for victims to visit the
legitimate site.

"The attackers may compromise a website months before they actually use it in an attack," the
Symantec researchers said. "Once compromised, the attackers periodically connect to the website to
ensure that they still have access."

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.